Renewing SSL certificate issues with an old CA Root X3

despinosa · September 14, 2021, 10:16pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:vibriefing.news

I ran this command: Webmin (Let's encrypt)

It produced this output:DST Root CA X3 - Valid from 9/30/2000 to 9/30/2021

My web server is (include version):https://(N/A)

The operating system my web server runs on is (include version):linux

My hosting provider, if applicable, is: GCP

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):webmin SSL configuration

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I am using the GUI from webmin

How can I renew it with a different DST Root CA number. As you can see the certificate renews for 3 months but it is strangely assigned to an expired Let's encrypt certificate.

Thank you!

rg305 · September 14, 2021, 10:27pm

Hi @despinosa, welcome to the LE community forum

How did you check that?

I think you might be getting fooled by your own browser [which is likely trying to build the cert chain].

The chain served by the webserver is updated.
See:
https://www.ssllabs.com/ssltest/getTestChain?d=vibriefing.news&latest&cid=0ee13727674932d64353586a3aaafae00ae92416cb754707c491e7f24fbf349d&time=1631657857129

despinosa · September 15, 2021, 1:55pm

Thanks, rg305,

I get this on the certificate chain enrolled to it. Please see screenshots.

After 9/30 the trust certificate will not authenticate, this is my concern.

Thank you for your support,

Diego

bsisolrac · September 15, 2021, 2:28pm

Having similar issues with winacme (wacs.exe) & wincertes.
My web server: IIS 7
Operating System: Windows Server 2019 Standard
Hosting: Self
I can log into a root shell on my machine: yes
Control Panel: none
version of my client: winacme 2.1.18; wincertes 1.4.3

Nummer378 · September 15, 2021, 2:46pm

This is just Windows doing random things, disregard that.

This is the correct chain. This server is sending everything correctly.

The expiring DST Root CA X3 is intentional. This certificate by IdenTrust is pretty much end of life. That's why ISRG Root X1 - a (new) root by Let's Encrypt - is in the chain, so validators can use that. DST Root CA X3 is still included for older Android compatibility.

rg305 · September 15, 2021, 2:47pm

That is not necessarily what is being served.
That is what is being used (after being built) by your system.
Either:

use an online tool (like the one I linked)
use OpenSSL to retrieve the certs

despinosa · September 16, 2021, 10:30pm

Thanks for the clarification and details. rg305 and Nummer378! I was concern it is was something not intentional and our SSL will crash. After this date, when enrolling the DST will not be reported in the chain trust. I do see my certificates are in a healthy state. Thank you!

system · October 16, 2021, 10:30pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.